File Vaulting

ism
New Contributor II

Hello there,

We have configured File Vault 2 as a policy and scoped it to users, and we have noticed that Turn off file vault option is available for them. We have created a configuration profile and which does the job and disable the option of disabling File Vault.

Question is, which one to use? if we decided to go with Configuration Profile what time the policy is going to trigger? and should we get rid of the file vault policy? Please suggest. e138619086b84df894c1b9c5f9149366

4 REPLIES 4

ism
New Contributor II

896cc42fb54c4e2eb2ea2f8c7238aeab

sdagley
Esteemed Contributor II

@ism Use a Configuration Profile to enforce the setting if you want to ensure your users can't turn off FV2. Configuration Profiles are executed as soon as the client machines get a notifications via APNS, so if they're awake and on the network it's almost immediate. If you use a Configuration Profile to set FV2 you do not need a separate Policy for it.

davidacland
Honored Contributor II

We're using configuration profiles for FV as well. We used policies a few years ago, but switched to config profiles as soon as they were available.

gachowski
Valued Contributor II

So more info.

  1. I still think even with the "blocking" configuration profile, the user can still disable it from the CLI.
  2. Last I checked there is no way to set the enable profile to enable on log in, in my testing any other enable trigger the user can "cancel" and then still user the computer. If the policy is configured enable profile to enable on log in and the user "cancels " it the machines just reboot to the log in window again and the same FV2 enable window.
  3. There is a new profile for High Sierra so changes are coming with APFS

C